Tickets accepted upon login but still prompted for password

Andy Rechenberg arechenberg at shermfin.com
Fri Mar 15 11:03:16 EST 2002 

I have a Red Hat Linux 7.1 box setup to use Kerberos authentication
for telnet access.  The KDC is a Windows 2000 Server (SP2).  I have
successfully setup a service principal for the Linux box in the 2000
domain and I have transferred the keytab to the Linux box and imported
it into /etc/krb5.keytab.

A user can successfully obtain tickets from the KDC while logging in,
but when I try to test an automatic telnet login the user's tickets
are accepted but the user is still prompted for a password.  I would
prefer the users not to be prompted once they obtain their Kerberos
tickets.

Am I missing something so obvious it's stupid? :)  I have krb5-telnet
activated in xinetd and have specified it to use login.krb5.  I also
have the default PAM config files for RH7.1.  I have tried using
authconfig to include Kerberos authentication, but that did not make a
difference.  Below are relevant configuration files and sample outputs
from a telnet session.

Any help would be greatly appreciated.  Let me know if you need any
more information.  Please CC: my email address with any responses. 
Thank you in advance.

Regards,
Andrew Rechenberg
Network Team, Sherman Financial Group
arechenberg(at)shermanfinancialgroup.com


***********************************************************
[root at rh71test ~]# telnet rh71test.shermfin.com
Trying 10.1.1.55...
Connected to rh71test.shermfin.com.
Escape character is '^]'.

    rh71test.shermfin.com (Linux release 2.4.2-2 #1 Sun Apr 8 20:41:30
EDT 2001) (4)

login: arechenberg
Password for arechenberg:
Last login: Fri Mar 15 10:38:46 from rh71test

[arechenberg at rh71test ~]$ klist -fe
Ticket cache: FILE:/tmp/krb5cc_p31503
Default principal: arechenberg at SHERMFIN.COM

Valid starting     Expires            Service principal
03/15/02 10:49:24  03/15/02 20:49:24  krbtgt/SHERMFIN.COM at SHERMFIN.COM
        Flags: FPIA, Etype (skey, tkt): DES cbc mode with CRC-32, DES
cbc mode with CRC-32
03/15/02 10:49:24  03/15/02 10:54:24 
host/rh71test.shermfin.com at SHERMFIN.COM
        Flags: FPA, Etype (skey, tkt): DES cbc mode with CRC-32, DES
cbc mode with CRC-32


Kerberos 4 ticket cache: /tmp/tkt601
klist: You have no tickets cached
[arechenberg at rh71test ~]$ telnet -a rh71test.shermfin.com
Trying 10.1.1.55...
Connected to rh71test.shermfin.com (10.1.1.55).
Escape character is '^]'.
[ Kerberos V5 accepts you as ``arechenberg at SHERMFIN.COM'' ]
Password for arechenberg:

^^^^^^^^^^^^^^^^^^^^^^^^^
Tickets accepted, but still prompted for password. :\


[root at rh71test ~]# cat /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 ticket_lifetime = 24000
 default_realm = SHERMFIN.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 default_tgs_enctypes = des-cbc-crc des-cbc-md5
 default_tkt_enctypes = des-cbc-crc des-cbc-md5
 forwardable = true
 proxiable = true

[realms]
 SHERMFIN.COM = {
  kdc = mykdc.shermfin.com:88
  default_domain = shermfin.com
 }

[domain_realm]
 .shermfin.com = SHERMFIN.COM
 shermfin.com = SHERMFIN.COM

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[pam]
 debug = false
 ticket_lifetime = 36000
 renew_lifetime = 36000
 forwardable = true
 krb4_convert = false


[root at rh71test ~]# cat /etc/xinetd.d/krb5-telnet
# default: off
# description: The kerberized telnet server accepts normal telnet
sessions, \
#              but can also use Kerberos 5 authentication.
service telnet
{
        flags           = REUSE
        socket_type     = stream
        wait            = no
        user            = root
        server          = /usr/kerberos/sbin/telnetd
        server_args     = -a valid -L /bin/login.krb5
        log_on_failure  += USERID
        disable         = no
}

[root at rh71test ~]# cat /etc/pam.d/login
#%PAM-1.0
auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
session    optional     /lib/security/pam_console.so

[root at rh71test ~]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so

password    required      /lib/security/pam_cracklib.so retry=3
password    sufficient    /lib/security/pam_unix.so nullok use_authtok
md5 shadow
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so

More information about the Kerberos mailing list